The official GCP tutorial uses SASL_PLAIN with a service account key file. I wanted to use ADC instead. Turns out librdkafka does not actually verify the JWT — it parses header for alg, payload for exp, treats the third segment as opaque. ~30 lines of base64url and a synthesized JWT shape get you OAUTHBEARER on top of a plain ADC access token, no keys on disk. Code and explanation in the post.